For more fun, set your X-Forwarded-For header to '"\-- and watch how many websites break down. Youtube broke, but they fixed it the same evening when I mailed them (not that they told me this). Even a website about SSL certificates outputted the MySQL error, practically instructing me how to perform the SQL-injection. Many other websites told me "Your IP address ('"\--) will be logged when you register." Whatismyip.com doesn't actually detect a proxy, even with the x-forwarded-for header set. It might be a combination of things.
–
LucMay 25 '13 at 11:36

Beyond what Polynomial said, another common practice is to have the browser view the site with and without HTTPS, and see if the connections come from the same IP.

Many transparent (e.g. caching) proxies will allow SSL traffic to pass by without proxying, since proxying an SSL connection requires spoofing certificates, and this causes a whole bucket of other problems.

In this case, the SSL address is the "real" one, and the non-SSL address is the address of the proxy.

It may be possible for web-servers/websites to find the real IP while behind a proxy. Generally HTTP proxy servers, upon receiving a request from a client/user, append a new field (X-Forwarded-For) in the HTTP header and subsequently forward the request to the web-server. This X-Forwarded-For field has the client's IP address. Hence, by analyzing this field, a website can figure out the real IP address.

However, the poxy servers provide different levels of anonymity. If a highly anonymous proxy is used (also known as elite proxy), then it might not be possible for the website to find the real IP address, as these elite proxies don't usually include such headers. Another option is using Ultrasurf if you want to hide real IP address.

Check this post for details on x-forwarded-for header and a simple demo python script that shows how a web-server can detect the use of a proxy server: X-Forwarded-For